Overview

Governments, companies, and educational institutions are doomed to deal with endless streams of software vulnerabilities unless programmers learn to write much more secure code. Part of the charter of OWASP is to assist in making application security visible which requires at its core, dedicated individuals who are savage in the pursuit of excellence.

Several initiatives are underway to improve secure software development skills and knowledge. Oracle, Microsoft, and a few other software companies are conducting short courses for their developers. Consulting firms such as Accenture and Cognizant are investing heavily in teaching secure coding practices to not just security professionals, but all their staff at large. Dozens of universities in the United States, Canada, China, Trinidad and Brazil are creating elective courses on secure software development. Yet, even if all of those initiatives are successful, they are unlikely to affect even two percent of the existing millions of developers already in the work force or those who will be entering the work force over the next five years.

The need for certification in this space is immense. The lack of accountability or at least a way to tell qualified security professionals from those that aren't is difficult. We understand that for traditional software development, applications better compile or they don't go live, developers don't get their bonus and some may even see their employment terminated. In security, there is generally no bar to clear.

Enterprises are under duress in order to translate the requirements of PCI, SoX, HIPAA and other guidance to their daily practice, yet find that those charged sometimes aren't fit for duty. In order to close the gap, they invest significant funding in education and certification. At the highest levels, this is a noble goal; however there is almost always a coupling of certification to courseware where candidates only learn enough to pass a test. For enterprises that don't invest in their employees but do believe in hiring talent on demand, they seek the ability to have a single certification that their recruiting staff can use to filter the great from the masses and the OWASP People Certification Project is the answer to all these concerns and more...

Project Goals

The project has six goals:

Allow employers to rate their developers and architects on security skills so they can be confident that every project has at least one "security master" and all of their developers and architects understand the common errors and how to avoid them.

Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier.

Allow developers and architects to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps.

Allow employers to evaluate job candidates and potential consultants on their secure design & development skills and knowledge.

Provide incentive for universities to include secure software design & development in required computer science, engineering, and programming courses.

Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in similar regions around the world.

Joining the Project

If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Certification Project mailing list, or contact James McGovern.